1. Field of the Invention
This invention relates to technology which authenticates the relation between digital data and an individual/organization.
2. Description of Related Art
As the information society has evolved recently, more and more digital data is used instead of traditional printed matter as communication media. Digital data is sometimes sold as a valuable commodity.
In the information society like this, some means are necessary to authenticate the relation between digital data and an individual/organization in order to prevent crimes or malicious actions including illegal copying, illegal alteration, and illegal use of digital data. For example, to check that digital data has been provided by an authentic organization, some means are necessary to authenticate the relation between the digital data and the authentic organization. Similarly, to check the source of digital data or to check the individual or organization owning the right to digital data, some means are necessary to authenticate the relation between the digital data and an individual or an organization.
Conventionally, a technique known as a digital signature has been used to authenticate the relation between digital data and an individual/organization.
As described in xe2x80x9cANGO RIRON NYUMON (Introduction to Cryptography)xe2x80x9d, pages 133-137, Kyoritsu Shuppan Co., Ltd. 1993, the digital signature technique, developed to prove the correctness of documents, combines public key cipher technology with one-way functions.
In this technology, a pair of keys, a private key S and a public key V which satisfy g(f (n, S) V)=n and f(g (n, V), S)=n, is created first, where n represents data, and f and g represent functions. These formulae mean that data encrypted with the private key S may be decrypted by with the public key V and that, conversely, data encrypted with the public key V may be decrypted with the private key S. It should also be noted that it is virtually impossible to find the private key S from the public key V.
Once the private key S and the public key V are created, the creator passes the public key V to a partner and holds the private key S privately.
When the key creator sends data to the partner, the creator passes data to which a digital signature is attached. This digital signature is created by evaluating data with a predetermined one-way function and then encrypting the resulting evaluation value with the private key S.
The one-way function described above can calculate an evaluation value from data, but it is impossible to virtually calculate the original data from the evaluation value. In addition, it is necessary for the one-way function used in creating a digital signature to return a unique bit string for each piece of unique data; that is, the probability of the function returning the same bit string to two or more pieces of data must be very small. An example of such functions is a one-way hash function which evaluates data and returns a bit string as the evaluation value of the data. The evaluation value h(D) calculated by the one-way hash function is called the hash value of D, where h is the one-way hash function and D is data.
Upon receiving data to which a digital signature is attached, the receiving partner evaluates the data with the one-way function to obtain an evaluation value and then checks if the evaluation value matches the value generated by decrypting the digital signature using the public key V. When they match, it is verified that the digital signature was created by the holder of the private key S corresponding to the public key V and that the digital signature is for the data that was received.
The technique described in xe2x80x9cApplied Cryptographyxe2x80x9d, John Wilsy and Sons, Inc. (1996), pp 39-41, is known as a technique for creating digital signatures for use by a plurality of persons that are attached to one piece of data.
When this technique is used, not all signature creators need to generate the hash value of data to create a digital signature; and instead, each of the second and subsequent signature creators calculates the hash value of the digital signature of the immediately-preceding creator to get his or her digital signature. That is, the first signature creator calculates the hash value of data and then encrypts the resulting hash value with his or her own private key to get a digital signature, as described above. The second creator encrypts the hash value of the first creator""s digital signature with his or her own private key to get a digital signature. This is repeated for the subsequent signature creators. That is, the n-th creator encrypts the hash value of the (nxe2x88x921)th creator""s digital signature with his or her own private key to obtain a digital signature.
In this case, the digital signatures created by n signature creators are verified as follows. The final digital signature is decrypted by the public key of the final (n-th) signature creator, the decrypted digital signature is then decrypted by the public key of the (n-1)th signature creator, and so on, until the digital signature of the first signature creator is decrypted. If the result obtained by decrypting the signature by the public key of the first signature creator matches the hash value of the original data, it is determined that the digital signature was created by n signature creators each having his or her own public key and that the digital signature corresponds to the data. However, when the sequence in which the signature creators created signatures is not known, this technique requires that the above process be performed for the number of times generated by permutating all signature creators.
Also available for authenticating the relation between digital data and an individual/organization is a technique known as a digital watermark.
As described in Nikkei Electronics (1997), No. 683, pp. 99-107, this technique embeds management information, such as copyright information, into image data itself.
The digital watermark technique has the following features. Embedded data is not usually seen when image data containing that embedded information is displayed and, in addition, the image data itself displayed on a screen is almost not affected by the embedded information. Removing only the embedded information is difficult and, if the embedded information is removed accurately, the picture quality of the image data is significantly degraded. In general, even when the image data is compressed, embedded information may be restored to some extent.
A digital watermark technique which enables information to be embedded, not into image data, but into text data, drawing data (graphic data), and audio data has also been proposed.
In Nikkei Electronics (1997), No. 683, pp. 99-107, a technique using such digital watermark for preventing the illegal copy of contents, which are composed of digital data such as image data, is also described.
This technique embeds the identification of the contents purchaser into the contents in the form of a digital watermark. When illegally copied contents are seized, the embedded information is extracted to identify the person (that is, the purchaser) who produced the illegal copy.
The basic procedure for embedding purchaser""s identification information is as follows:
(1) The provider (contents provider) assigns a unique number to a contents purchaser.
(2) The provider embeds the number of the contents purchaser into the contents in the form of a digital watermark.
(3) When illegally-copied contents are found and seized, the provider or inspection division extracts the number from the contents to identify the purchaser.
(4) The penalty is imposed on the purchaser for illegal copy or for lending the contents to a person who produced the illegal copy.
Recently, a WWW (World Wide Web) system, composed of a WWW server program and a browser program, has become popular as means for providing and sending information to a plurality of users over an open network such as the Internet. As this type of WWW system has become widely used, it has become necessary to be able to authenticate the relation between a Web page, which contains digital data made available on a WWW server, and an individual/organization in order to prevent crimes or malicious actions from occurring through the illegal use of the WWW system. For example, when a Web page is guaranteed by some authentic organization, it is necessary to be able to authenticate the relation between the Web page and the organization to allow the user to make sure that the Web page is truly guaranteed. Similarly, to check the individual""s or organization right to a Web page creator or a Web page, the relation between the Web page and the individual or organization must be able to be authenticated.
As described in the April 1996 issue of xe2x80x9cOPEN DESIGNxe2x80x9d (published by CQ Publishing Co., Ltd. Issuer: Ryoji Gamou), pp. 4-22 and pp. 40-78, a WWW system features not only the easy-to-operate graphical user interface (GUI) but also the usability which allows the user to reference related information linked by hypertext. This WWW system has contributed to the fast growth of the Internet.
The outline of a WWW system introduced by the publication is as follows:
The WWW system is composed of at least one WWW server on which a WWW server program for publishing information runs and at least one client terminal on which a browser program for browsing published information runs. Data is transferred between the WWW server and the client terminal via the communication protocol called HTTP (HyperText Transfer Protocol).
To publish information on the WWW server, a server user must create a Web page containing data to be published. This page contains text data, image data, audio data, video data, and link data to other Web pages, all interconnected using a structure description language called HTML (Hyper Text Markup Language). Then, the user stores this Web page in a location (directory) in the WWW server so that it may be accessed from other computers (client terminals or other WWW servers).
To browse a published Web page from a client terminal using a browser program, a terminal user must type the URL (Universal Resource Locator) of the Web page. Then, the Web page is sent from the WWW server to the client terminal. The text data, image data, and video data of the Web page are displayed on the client terminal screen. Audio data, if included in the page, is produced from the speaker connected to the client terminal.
The recent trend is that the WWW system like this is used not only as the communication means but also in business. One such application is an electronic commerce system which provides the user with information on goods using this WWW system.
The overview of this electronic commerce system is described in xe2x80x9cJYOHOSHORI (Information Processing), No. 9 of volume 38xe2x80x9d, pp. 752-810 (Issuer: Kouji Iizuka, Published by Jyohoshori Gakkai (Information Processing Society of Japan)).
The electronic commerce system described in the above-mentioned publication not only provides the user with information on goods but also settles accounts with the use of the cryptography technology, such as common key cipher and public key cipher, and the authentication technology such as digital signatures. In this system, many settlement methods, including bank settlements, credit card settlements, or electronic money settlements, are used.
In such an electronic commerce system, most vendors include into their web pages the image data, such as the logos of credit card companies, to allow the user to instantly select one of various payment methods. This is similar to a real-world (not a virtual world such as the Internet) store where the logos of the credit card companies are put up on the counter or in the show window.
Sometimes, a Web page may also contain image data, such as logo marks indicating the Web page creator or an authentic individual or organization which has authorized the Web page, to allow a Web page user to instantly ascertain who has created the Web page or that the Web page has been authorized by the authentic individual or organization.
The above-described digital watermark technology has the following problems.
First, the relation between information embedded as a digital watermark and an individual/organization indicated by the embedded information is not always guaranteed. That is, it cannot be always said that the information embedded in the digital data indicates the relation between the individual/organization and the digital data correctly.
For example, with the illegal copy prevention technique described above, a number embedded in the illegally-copied contents cannot always be used as a proof that the illegally-copied contents were purchased by the purchaser corresponding to that number. That is, because the number was given by the provider one-sidedly, the purchaser may insist that the number found in the copy is not the one assigned to him or her.
In the case of the Web page described above, there is a possibility of an illegal user forging information to pretend to be some other user and embedding it as a digital watermark or alternatively he may pretend that the information is guaranteed by an authentic organization.
Second, the relation between digital data and an individual/organization indicated by the information embedded as a digital watermark is not guaranteed.
For example, in the illegal copy prevention technique described above, there is no proof that a purchaser""s number is embedded correctly in the content purchased by the purchaser. In other words, there is a possibility that a person other than the purchaser (for example, a person at the provider) has mistakenly or maliciously embedded the purchaser""s number in a content not purchased by the purchaser.
In the case of the Web page described above, there is a possibility of an illegal user extracting a digital watermark, embedding it in a Web page by an individual/organization, and embedding it in his/her Web page to pretend to be the legal purchaser or to pretend that his/her page is guaranteed by an authentic organization.
Third, when there are many copyright holders for a single content with much copyright information that must be embedded in it with the use of the digital watermark technique, the quality of the content (image quality when the content is image data) is significantly degraded.
Fourth, the digital watermark technology is not suitable for digital data, such as a Web page, containing several types of data. For example, when the technology is used for digital data containing text data, drawing data, and image data, each type of data must be processed separately.
On the other hand, the digital signature technique is cumbersome because digital data as well as the digital signatures associated with the digital data must be managed as a pair. In addition, digital signatures, which can be separated from digital data much easier than digital watermarks, cannot be used for preventing illegal copies.
Another problem with digital watermarks and digital signatures is that, because they are invisible, the digital data user cannot immediately understand the relation between digital data indicated by digital watermarks or digital signatures and an individual/organization.
For example, digital watermarks and digital signatures do not present the user with information on the relation between a Web page and an individual/organization in the same way as a Web page including logo marks as image data does. This means that digital watermarks and digital signatures do not directly guarantee that the relation between digital data indicated by digital watermarks or digital signatures and an individual/organization corresponds to the relation between digital data presented directly to the user and the individual/organization.
On the other hand, a logo mark added to a Web page is image data. Therefore, it cannot be authenticated that the Web page actually contains data that is indicated by the relation between the logo mark and an individual/organization.
Take the logo mark of a credit card company for example. Imagine that an illegal user copies the logo mark of a credit card company from the Web page of a legal agent of the company, pastes it into an appropriate location of the Web page of the agent owned by the illegal user, and then stores the Web page in the WWW server so that any computer may access it. In this case, a consumer may judge, from the logo mark of the credit card company contained in the Web page of the agent owned by the illegal user, that the agent is legal and may send data necessary for settlement, such as a credit card number, to that WWW server. As a result, the illegal user is able to obtain the credit number of the consumer illegally and make an illegal profit.
In view of the foregoing, it is an object of this invention to provide a technique which authenticates the relation between digital data and an individual/organization more reliably. It is another object of this invention to provide a technique which directly presents the user with digital information on an individual/organization associated with digital data such that the relation between the digital information and the individual/organization corresponds to the relation between the digital data itself and the individual/organization.
To achieve the above objects, a method according to this invention is an embed-in-content information processing method for processing information embedded in a content using an electronic computer, the method comprising the steps of creating cryptographic information by encrypting specific data using a private key in accordance with a public key cipher system used by content-handling persons; and embedding the created cryptographic information into the content such that the cryptographic information cannot be separated from the content without using a predetermined rule.
Here, the description that the cryptographic information cannot be separated from the content without using the predetermined rule means that, when the predetermined rule is not used, the cryptographic information cannot be separated by a method other than the trial-and-error method.
In this method, the cryptographic information is extracted from the content containing the cryptographic information for use in decrypting with the use of a public key paired with the private key used by the content-handling persons, and then the decrypted result is verified to check if it matches the specific data. If the content in which the cryptographic information is embedded is an illegal copy, the content-handling person of the content from which the illegal copy was created may be identified.
In this case, this determination is made by verifying information embedded in the illegal copy, wherein the information depends on the private key known only to the content-handling person of the content and may be created only by the content-handling person of the content. This makes clear the correspondence between the information embedded in the illegal copy and the content-handling person of the content from which the illegal copy was created.
The cryptographic information embedded in the content may be a value dependent on the content into which the cryptographic information is to be embedded. For example, the value may be a digital signature generated by encrypting the hash value of the content. This value makes even clearer the correspondence between the information embedded in the illegal copy and the content-handling person of the content from which the illegal copy was created.
To achieve the above object, this invention is an embed-in-content information processing method for embedding information on k (k is an integer equal to or larger than 2) content-handling persons using an electronic computer, the method comprising the steps of embedding a digital signature into the content such that the digital signature cannot be separated from the content without using a predetermined rule, the digital signature being created by encrypting an n-bit hash value using a private key in accordance with a public key cipher system used by a first content-handling person, the n-bit hash value being obtained by evaluating the content with a first hash function; and sequentially repeating digital signature embedding for a second person to a k-th content-handling person, wherein, for an i-th content-handling person (i is an integer between 2 and k), the content into which the digital signatures of the first to an (ixe2x88x921) content-handling persons are embedded is evaluated with a second hash function, wherein a resulting n/2-bit hash value is encrypted using the private key of the i-th content-handling person to generate the digital signature of the i-th content-handling person, and wherein the digital signature of the i-th content-handling person is embedded into the content in which the digital signatures from the first to the (ixe2x88x921)th persons are already embedded such that the digital signature of the i-th content-handling person cannot be separated from the content without using a predetermined rule.
This method allows the k person""s digital signatures to be embedded into the content using n+(kxe2x88x921)xc2x7n/2 bits, with little effect on the security.
This invention is also an embed-in-content information processing method for embedding information on k (k is an integer equal to or larger than 2) content-handling persons using an electronic computer, the method comprising the steps of creating a digital signature of a first content-handling person by encrypting a hash value using a private key in accordance with a public key cipher system of the first content-handling person, the hash value being created by evaluating the content with a first hash function; sequentially repeating digital signature creation for a second person to a k-th content-handling persons to create the digital signatures of the content-handling persons; and embedding the digital signature of the k-th content-handling person into the content such that the digital signature cannot be separated from the content without using a predetermined rule, the digital signature being obtained by performing the digital signature creation for the k-th content-handling person, wherein, during the digital signature creation processing for an i-th content-handling person (i is an integer between 2 and k), a value dependent on the digital signature of the (i-)th content-handling person is encrypted using the private key of the i-th content-handling person to generate the digital signature of the (ixe2x88x921)th content-handling person. According to the embed-in-content information processing method, when the value determined by the value of the digital signature is n bits long, embedding only n-bit data into the content enables information for verifying k content-handling persons to be embedded into the content.
To achieve the above object, this invention is an information authentication method managed by a manager trusted by both an information publisher and an information browser, wherein the information publisher adds multimedia data to information published by the information publisher in such a way that the multimedia data may be validated and wherein the information browser checks the validity of the information according to whether or not the multimedia data is validated.
In this method, the information is validated, for example, by the manager, who is contacted by all participants, validating multimedia data added to the information.
More specifically, a user who browses a Web page determines its validity according to whether the manager authenticates the validity of the image data pasted in the Web page, that is, whether the image data is valid, and whether the manager authenticates the fact that the image data is pasted in the Web.
In this method, when the multimedia data is validated, the information may be presented to the information browser as necessary. For example, when the image data is determined to be valid in the above Web page, the information may be filtered so that the Web page may be displayed.
To achieve the above objects, this invention provides a method for creating authenticatable digital data including authentication data for authenticating the digital data using an electronic computer, the method comprising the steps of generating mark data recognizable by a user when the user uses the digital data; generating watermark-embedded mark data wherein specific information is embedded as a digital watermark into the mark data; and including the watermark-embedded mark data into the digital data to generate the authenticatable digital data.
In this method, the specific information may be a hash value generated by evaluating the digital data with a predetermined hash function.
The specific information may also be a digital signature generated by encrypting an evaluation value, generated by evaluating the digital data with a predetermined function, with a private key according to predetermined public key cipher.
According to those methods, the mark may be validated with the information embedded in the watermark-embedded mark data. The hash value embedded as the digital watermark may be used to authenticate that the mark is given to the digital data. The digital signature embedded as the digital watermark may be used to authenticate the validity of an individual/organization which guarantees the mark.
This invention also provides a plurality of systems for realizing the methods.
For example, this invention provides a content distribution system comprising a distribution system outputting a content to be distributed and a content receiving system receiving the distributed content, wherein the distribution system comprises encrypting means for encrypting a content to be distributed and wherein the receiving system comprises decrypting means for decrypting a distributed content; signature creating means for creating cryptographic information by encrypting specific data using a private key in accordance with a public key cipher system used by a user of the receiving system; and signature embedding means for embedding the created cryptographic information into the content such that the cryptographic information cannot be separated from the content without using a predetermined rule.
This invention also provides a content distribution system wherein the decrypting means, the signature creating means, and the signature embedding means are configured such that decrypting cannot be performed by the decrypting means before the cryptographic information is created and embedded by the signature creating means and the signature embedding means and wherein it is difficult to modify the receiving system such that decrypting is performed by the decrypting means before the cryptographic information is created and embedded by the signature creating means and the signature embedding means, respectively.
This invention also provides a content distribution system wherein the encrypting means of the distribution system encrypts the content using the public key of the user of the receiving system and the decrypting means of the receiving system decrypts the content encrypted using the private key of the user of the distribution system.
These content distribution systems may have a verification system comprising signature extracting means for extracting cryptographic information from the content in which cryptographic information is embedded and signature verifying means for verifying that a result obtained by decrypting the extracted cryptographic information using a public key used by content-handling persons matches the specific data.
In these content distribution systems, the signature creating means of the receiving system may use information containing a decrypted-content-dependent value as the specific data and may use a digital signature which the receiving system user has for the content as the cryptographic information, the digital signature being generated by encrypting the specific data using the private key in accordance with the public key cipher system used by the receiving system user.
This invention also provides a data processing system used to attach a signature to a content. This system comprises digital signature creating means for calculating a hash value by evaluating the content with a hash function and then encrypting the calculated hash value with a private key of a user of the data processing system in accordance with the public key cipher system used by the user to generate a digital signature; and digital watermark creating means for embedding the created digital signature into the content as a digital watermark.
This invention also provides a system comprising a generation system which generates authenticatable digital data and an authentication system which authenticates authenticatable digital data, wherein the generation system comprises means for generating mark data recognizable by a user when a user uses the digital data; means for generating watermark-embedded mark data into which specific information is embedded as digital watermark; and means for including the watermark-embedded mark data into the digital data to generate the authenticatable digital data and wherein the authentication system comprises means for extracting the mark data from the authenticatable digital data; means for extracting from the extracted mark data the predetermined information included as the digital watermark; and means for authenticating the digital data based on the extracted information.
More specifically, the authenticatable digital data is a Web page containing mark data. Based on the information embedded in the mark data as the digital watermark, the authentication system authenticates the Web page as well as the contents output by the mark data when the Web page is browsed. In this case, note that the individual/organization which generates the authenticatable digital data need not be the individual/organization which publishes this Web page. In this case, the individual/organization, which generates the Web page containing the authenticatable digital data according to a request from the individual/organization which publishes the Web page, may also create that Web page.
This invention also provides a recording medium including therein a program to be run by an electronic computer to execute the methods described above.
For example, this invention provides a computer-readable medium having stored therein a program which causes an electronic computer to perform a program comprising the steps of generating mark data recognizable by a user when the user uses the digital data; generating watermark-embedded mark data into which specific information is embedded as a digital watermark; and including the watermark-embedded mark data into the digital data to generate the authenticatable digital data.